HAproxy - Multiple front ends listening on the same interface/port

  • Hi,
    With a previous package version, I was able to set up multiple front ends listening on the same interface and port that should have worked since they used different ACLs, but occasionally got the wrong one causing timeouts.

    With the new devel package, how can I set up multiple front ends listening on the same interface and port. These need to go to different back ends based on they're ACL.

    Also can this be done with another port, such as 22?
    When i've used HAproxy for reverse proxying SSH traffic it causes intermittent disconnects often that ruins the experience so I currently only have SSH access available to a development box, but have several dev boxes which several different developers need access to.

    I could set up a VPN, but is possible to get reverse proxying of 22 to multiple hosts working?
    Thanks for your time and help.

  • hi,

    the haproxy-devel package supports "shared-frontends" to support having multiple domains use different backends depending on the acl's used.

    It is however not possible to utilize this for SSH connections as those dont send upfront to what domain they want to connect to..

    http and ssl connections can both do this using respectively  host-header or SNI.

    greets PiBa-NL

  • Hi,
    Thanks for your help with this, I was able to get my services back up and running without using shared front ends.
    I'm now ready to explore using PFsenses's shared-frontends but this is reliant on HAproxy's ACLs.

    Could you please give me a quick example of a ACL that uses host headers to direct a specific host header to a specific backend?

  • Hi,
    Create a shared-frontend and select the 'main' frontend to combine it with. Then in that frontend add acl's like done here: https://forum.pfsense.org/index.php?topic=73903.msg409614#msg409614 Though there combinations of both domain and path are checked by using the same acl name, and 7 different combinations, for starters only the first line like in the screenshot would already be enough to check for a single domain host name.

    Does that help?
    Greets PiBa-NL

  • Hi PiBa,
    I really appreciate your help.

    I'll try this tonight, but can you explain how these ACLs direct traffic to another back-end?
    The bit I don't understand logically is that you select a "main" backend, but the ACLs in the post you provide don't specify any other back end.

    In my environment, I have five front ends and 3 back ends. I'd like to manage a shared-frontend which listens on :80 to direct traffic as required based on the ACLs based on host headers or paths.
    If i set up ACLs for all five front ends, how does HAproxy understand where to direct traffic?

    So for example i'd use a "path starts with" "/nagios3" to direct one front end to my backend which hosts nagios and a "contains" "mydomainname.com" to direct traffic to a management console.
    I'd also have ACLs set up for three other websites, one which has it's own webserver and two which are vhosts on the same server.

  • Hi,
    If you have a number 'shared frontends', each one has its own set of acl's, when a set of acls is found that evaluates to be matching the traffic then the backend configured in that 'shared-frontend' is used. Its not like the 'main' frontend uses acls to distribute traffic, it is only that that frontend contains most of the settings which only can be set once..

    Hope that makes it a bit more clear.
    Greets PiBa-NL

  • Sorry I figured it out once i'd had a bit more of a play with it.

    Thanks very much for your time and help.

Log in to reply